During the last days, security researchers reported a huge spam campaign distributing malicious threat. It turns out that the new ransomeware is a brand new version of TeslaCrypt which is very dangerous for pc users.
The first signs of the new threat were spotted on some computer forums, where users started complaining about being infected with ransomware. According to some analysis made by the community members, the ransomware turned out to be a new version of TeslaCrypt which added minor changes to its code. However, these changes were more than enough to prevent pc users from using the TeslaDecoder to decrypt their files.
Most probably, BloodDolly will update his TeslaDecoder tool to tackle the latest modification, thus users should be very careful when opening attachments received via unsolicited email, or from an unknown sender.
The company which analyzed the spam campaign, Heimdal Security, claims that most infections were detected in Europe’s Nordic countries, meaning that currently Scandinavians are targeted the most. The spam emails contain a ZIP archive and use the old “Dear client, pay your overdue invoice” routine.
Considering the theme chosen by hackers, they might be targeting businesses and not end users, since companies regularly have a hard time keeping track of unpaid invoices and are more prone to opening email attachments from billing-related emails.
The ZIP file attached to the email is booby-trapped via a JavaScript file, and when the user decompresses the archive, it connects to a C&C server and downloads the TeslaCrypt ransomware in the form of an EXE file.
The Heimdal Security team was not specific if TeslaCrypt installs when launching the EXE into execution or (automatically) when unzipping the file, but let’s say you’ll be safer if you don’t download the ZIP file to begin with.
PC users should be aware that the new version of TeslaCrypt ransomware encrypts their files with the .vvv or .zzz extensions and asks them to pay a ransom in Bitcoin via a page hosted via an .onion domain on the Dark Web. What virus victims should do is to remove the malicious threat without paying the ransom.
